All official City websites, apps, and other digital services leveraged by or developed for the City must pass the Software Security Assurance Process (SSAP), managed by the Software Security Assurance team.
The SSAP is a multi-step process led by NYC Cyber Command. It is critical for ensuring that your product is secure and must be completed before an application can be deployed
Note: City security policies also apply to any software or services purchased by your agency, hosted either on-premises or in the Cloud.
Please complete the following steps:
Familiarize yourself with the City’s security policies
The City has a number of policies relating to how data and personal information is managed. Make sure you review these at the start of your project.
See the list of citywide security policies.
Request a project scoping document
Officially begin the SSAP by using the link at the bottom of this page to request a scoping document. This document tells the Software Assurance team about your project’s objectives and architecture.
Obtain the security requirements for your app
After you discuss your scoping document with the Software Assurance team, you’ll need to onboard your application in the NYC Cyber Command AppSec Platform. This platform will generate a security profile and list of actionable security requirements. It is important to do this early in the SDLC so you can build your product with these requirements in mind.
This platform will be made available to you by the Software Assurance team.
Note: This applies to products that you build or modify in-house, as well as some commercial-off-the-shelf (COTS) software that you purchase. Read about the different types of COTS products and their security requirements.
Go through a security scan before application launch
All sites and apps must go through a security scan, which tests your product for security vulnerabilities. The assurance team will help put you in touch with resources and a methodology to conduct this scan.
How to contact the SSAP team:
Please fill out the form found here: